Forgot your password?
typodupeerror
Security Internet Explorer The Internet

Criminals Attacking Myspace, Facebook IE Plugins 70

Posted by kdawson
from the unplug-for-safety dept.
An anonymous reader writes "According to the Washington Post's Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also 'probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.' The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry."
This discussion has been archived. No new comments can be posted.

Criminals Attacking Myspace, Facebook IE Plugins

Comments Filter:
  • Get rid of ActiveX (Score:5, Insightful)

    by CastrTroy (595695) on Saturday February 23, 2008 @03:11PM (#22528432) Homepage
    Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful. It's nice that IE7 is somewhat standards compliant, and that IE8 will be even moreso, but if they can't fix/remove activeX, I think that they will really lose a lot more users to the more secure browsers.
    • by calebt3 (1098475) on Saturday February 23, 2008 @03:32PM (#22528596)
      I think Windows Update still uses it on XP.
    • Re: (Score:3, Insightful)

      by Tablizer (95088)
      Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful.

      It's when companies invent custom doodads to do something "fancy" or different and one cannot use that fancy/different service unless they install the given Active-X applet. At work, there is a service that one person needs to do their job, and installing the custom Active-X thing is the only way to get access to the service. It is forced upon them. It is almost like a lawyer saying, "You
      • by billcopc (196330)
        Fine. ActiveX in a controlled environment can be useful in a backwards kind of way, even though I personally believe they should package such functionality as a standalone app in most corporate environments... but given how 99.44% of programmers aren't even worth the hot-dog meat, I guess we have to make compromises.

        The one place where ActiveX does NOT belong, is on the intarwebs. I _far_ prefer the Firefox plugin system, where everything is Javascript and still runs in a sandbox. The petty little featu
        • by Tablizer (95088)
          Fine. ActiveX in a controlled environment can be useful in a backwards kind of way...

          I don't understand your use of "fine". I did not promote Active-X. I was only describing circumstances where one is sort of forced into using such pluggins.
             
        • by Kalriath (849904)
          You describe Firefox ADDONS. Firefox PLUGINS are compiled DLL code written in languages like C++ - Netscape style. Apparently you trust Firefox addons (sandboxed javascript) a lot more than Firefox plugins (random bytecode)
          • by billcopc (196330)
            Correct, apologies for my ambiguity. I trust addons. I don't trust plugins. That said, I don't use many plugins other than the ubiquitous Flash and Shockwave.

            Given what I've seen done with Firefox addons, I'm quite confident that most of the functionality that traditionally used ActiveX can be safely and completely replicated with Javascript and XUL. After all, most of them are simple UI mods.
            • Well yeah, but most of those UI mods are pure fluff -- completely useless for anything worthwhile. I don't really care about the "skin" of the application -- I'm not racist that way. There have been a number of activex controls that I've built into web apps for clients that necessarily need to be bytecode -- well, they necessarily need enough direct access to the machine in order to provide basic functionality that any exploits become real concerns.

              Hey, something as simple as accessing files on the machin
    • Re: (Score:3, Interesting)

      by DigitAl56K (805623)

      Haven't they gotten rid of activeX(ploit) by now? I can't recall the last time I saw it being used for anything useful.

      Flash? DivX Web Player? You don't use either?

      IE7 running on Vista is also secured against many things these controls could do to a system maliciously, even if they were compromised. System APIs that provide access to the registry and file system are restricted for low integrity processes such that you can only address very specific, usually virtualized locations.

      Firefox plug-ins, btw, are DLL files, and I don't see how that's so wildly different?

      Final thought: I just used Vista and IE7 to defend Microsoft,

      • The difference between Firefox plugins and IE ActiveX is with the latter anyone can make a website which throws up a yes or no box which users will click yes on and then it takes over their computer.

        Also toolbars and other stuff in Firefox dont require any executable code at all and are thus less prone to attack.
        Only things like Flash require executable code.
        • by ericlondaits (32714) on Saturday February 23, 2008 @06:32PM (#22529820) Homepage
          Installation of Firefox add-ons (via XPI files) is just a "Yes/No" dialog away. The dialog appears when you attempt to navigate to an XPI file. Also, toolbars and other stuff in Firefox DO have executable code... usually it's just JS, but they can be made to use native DLLs as well. Perhaps you're confusing the fact that their layout is handled through XUL (which is an XML language akin to an HTML for UI layouts), but all interaction and functionality is provided through executable code. I'm not familiar enough with Firefox's security model, but I don't see why a vulnerable Firefox Add-on couldn't be exploited... through their APi they can access the filesystem, get full access to your browser's content, cookies, inject content in 3rd party pages, etc. so the potential is there. It's much easier to exploit vulnerabilities in plug-ins (either Firefox plug-ins or IE Active X) because a page can usually force execution of its functionality by itself... whereas most FF add-ons are activated by the user through the UI, and not by the web content (though popular exceptions to the rule exist, like Ad-Block).
          • My point about the XUL was that its far harder to have a security flaw in your toolbar if you use it than if you make a IE toolbar.
            Firefox handles all the tough code to make a toolbar and the XUL/js just does basic stuff.
            • Defining UI through XUL it's not too different from how you do it in a Windows application (or an ActiveX control) through a Dialog definition in a .res file. Vulnerabilities in ActiveX don't have anything to do with UI... but rather with the exported interface.

              With Firefox you really program most of the extension through JS... XUL just provides the UI that glues it together. But it's a bit like assuming that web pages are safe because you define them mostly through HTML... vulnerabilities through the use o
              • Your completely misread my post.

                Its far harder to make a toolbar with a vulnerability with XUL/JS than making one for IE.
                TFA says that they are targeting specific IE toolbars with flaws. You couldnt do that with standard Firefox toolbars.
  • by Slorv (841945)
    I know little about Windows programming but ActiveX seems to be the source for many of the problems with IE and Windows security.
    Why is it still used so much by commercial actors like Facebook, or not secured by MS?
    • by ILuvRamen (1026668) on Saturday February 23, 2008 @03:19PM (#22528498)
      I'll break it down for you. An activeX is basically a program you download that any website can run on your computer. Yeah that kinda sums it up. If the activeX isn't 100% secure, a website can hack you with it. I usually use an activeX once if completely necessary then delete it instead of leaving it sit around.
      • by CastrTroy (595695)
        Yeah, but you can accomplish the same things with a Java applet or using flash. Why the need to use ActiveX which has been proven insecure over and over again, and only works under IE?
        • Re: (Score:3, Informative)

          If memory serves, both Flash and Java are implemented in IE via ActiveX.
        • by piojo (995934)

          Yeah, but you can accomplish the same things with a Java applet or using flash.
          Sometimes, ActiveX is used when intimate interaction with the user's computer is necessary. I have seen a consulting firm use ActiveX to start a VNC connection for support purposes. Telling the user to go to a URL and click "yes" is a lot easier than telling them to find and run an executable (that may not even be installed).
          • TightVNC and others provide a Java applet for connecting to VNC servers.
            • Re: (Score:2, Informative)

              by billcopc (196330)
              I'm pretty sure the parent was referring to a one-time-use VNC server, as would be used in a remote tech support scenario. Dell uses that sort of thing.

      • by LO0G (606364)
        Not quite.

        ActiveX is the name for a technology that is used to load plugins (every single browser has a similar technology).

        The plugins have vulnerabilities, and the bad guys are exploiting the vulnerabilities in the plugins. There's nothing about ActiveX involved except for the fact that the plugins are written for IE.

        The exact same exploits could be written for Firefox or Safari or Opera, because they all contain support for the vulnerable plugins.

        Windows Vista runs all browser plugins in a very locked d
        • ActiveX is the name for a technology that is used to load plugins (every single browser has a similar technology).
          Actually, ActiveX is an interface which an application must implement. This is not specific to web browsers at all, as ActiveX can be used (and often are) in any Windows application.
          • by LO0G (606364)
            My answer was relatively simplified for the audience. I was just trying to get across the idea that ActiveX isn't an insecure technology per-se (which appears to be the general opinion on the internet), but instead a vehicle for deploying plugins, and it's the plugins that are insecure. As I mentiond, at least one of the vulnerabilities mentioned in TFA are applicable to Firefox (the vulnerability is in QT). The attackers are only targetting QT when it's hosted in IE, but according to Apple, QT is vulner
    • Re: (Score:1, Offtopic)

      by flyingfsck (986395)
      Why? Microsoft has no economic incentive to fix their crapware and being strictly a commercial enterprise, they have no pride and cannot be shamed into fixing their crapware either.
  • Limited user anyone? (Score:5, Informative)

    by Anonymous Coward on Saturday February 23, 2008 @03:22PM (#22528528)
    I run as a limited user . I was attacked .
    Instead of getting crap installed, an error in my security log about an Active X control not having required permissions to install
    So I must ask, How many are vulnerable merely because they foolishly surf as Owner/ Administrator?
    You might that this make no difference, but here, you would be wrong.
    • by calebt3 (1098475)
      I find it incredible how much you can't do as an XP limited account. My parent's WiFi link is defective, and the only way to get it back is to have it go through the 'Repair' process. Limited accounts aren't allowed to do this. Merely for curiosity's sake: can limited accounts in Vista do the Repair function?
      • by perlchild (582235)
        If you can do it in a limited account, and the repair function actually turns off the network, and on again, it's a ddos in the making...
        • If you can do it in a limited account, and the repair function actually turns off the network, and on again, it's a dos in the making...
          DDoS == Distributed Denial of Service
          DoS == Denial of Service

          Fixed that for you.

        • by calebt3 (1098475)
          I can disable/enable networking in Ubuntu without using gksu.
        • by vtscott (1089271)
          That seems like a lame reason to not allow that functionality. I mean, if you allow a limited account to visit websites, they could just keep clicking reload over and over again on the router configuration page. There's another possible DoS attack.
      • by DNS-and-BIND (461968) on Saturday February 23, 2008 @03:55PM (#22528738) Homepage
        I find it incredible how much you can't do as an XP limited account.

        That's kind of the idea there, buddy. Bringing network interfaces up and down is definitely an administrative task. If XP were a real operating system, it'd have some way to temporarily become administrator during a session. Even "run as Administrator" with the proper password doesn't work for tons of programs, QQ and Alibaba Trade Manager being the offenders I'm pissed off with currently.

      • by STrinity (723872)

        Merely for curiosity's sake: can limited accounts in Vista do the Repair function?
        Vista doesn't distinguish between limited and administrator accounts without some major tweaking. By default all accounts are limited, but if you do anything that requires elevated privileges, the screen greys and a dialogue box appears asking if you want to perform the action as administrator. This is the dreaded UAC.
      • by Mr. Vage (1084371)
        I tried to run my parents in limited user mode, but it only caused problems. You really can't do anything as a limited user. Vista has improved on this a lot with UAC. Users run as limited users, but if something requires administrative access they can temporarily raise the application's permissions (Cancel or Allow).
    • How many? About 100% of home Windows users and 99% of business Windows users. Most people have no idea that Windows can be locked down and not the foggiest notion of how to do it, sine they have never heard of MS Technet and Common Criteria Certification.
      • by calebt3 (1098475)
        That's why we can get paid so much as a PC Technician.
      • Re: (Score:1, Insightful)

        by Anonymous Coward
        Moreover, they get pissed right the hell off when they try to go and do something and find "that goddamned security thing won't let me fuck up my computer"...

        I've had any number of people bitch when they try to install their screen saver, or some other PoS bit of crapware doohickey their neice's best-friend got from an pseudo-anonymous myspace poster.

        One of such user was my boss, who despised the notion of operating system security as being "crap that makes it hard (or impossible) to do whatever the hell yo
    • Most of the people who use Myspace, Facebook also play games that need admin to run and some just error out when try to run them as limited user and that some has to do with there copy prevention systems, on line play systems that are used to prevent cheating, built in game auto updating and so on.
  • by gardyloo (512791) on Saturday February 23, 2008 @03:33PM (#22528610)
    I apologize to any *individual* who may have been hit hard by these 'sploits. But if they're forcing better security on those sites, and hitting IE hard, I say Good For The "Criminals"!
    • by causality (777677)

      I apologize to any *individual* who may have been hit hard by these 'sploits.

      I don't feel sorry for them in the slightest. It's not like IE/ActiveX's security track record is some big secret that would take a great deal of effort to find out about. People are voluntarily using a program with an unusually poor security history and are having security problems -- where is the surprise?

      You could argue from the victim mentality and say "but they don't know any better", to which I would ask, do you think

  • by pembo13 (770295) on Saturday February 23, 2008 @03:46PM (#22528688) Homepage
    To check twice as hard for security flaws.
  • by zootie (190797) on Saturday February 23, 2008 @03:49PM (#22528708)
    ActiveX is a way to extend the browser, to make the web site better for -at least Windows- users (and overcome some of the limitations of good old fashioned HTML/HTTP). Truth is that even standards compliant web sites leave something to be desired when compared with native desktop applications. ActiveX gets the bum rap because it is the entry point (a generic API). The real culprits are third party programmers.

    After 15+ years of Internet explosion, you'd expect that we would be doing better in security, and that we wouldn't miss desktop apps. There is a dire need for better web apps that blend better with the local system.

    In fact, while many of us might look forward to Web 2.0 using Ajax/JSON et al, there is a bit of a growing movement in non-standards based environments: Flash and Silverlight are emerging as full fledged OS-like environments inside the browser. Instead of re-inventing the OS using the browser with an interpreted (slow) language (like Netscape, and Java -client- tried to do), you have Adobe and MS coming up with a graphics friendly and programming flexible alternatives within their own ActiveX controls (which are blazing fast because the core is in C++, and the content is pre-compiled). As much as Flash is maligned, I wouldn't be surprised if in 10 years it takes over the Internet, and the browser is little more than a tool to deliver flash content.
    • Per various sources, Flash is on 98% of PC's connected to the Internet. So when I start to refresh my web apps on my companies site (about 8 years old now) what should I use? AJAX type code which may or may not work 6 years from now and I might have to update as vulnerabilities become know? My apps from 6 years ago have some AJAX type coding in them, but had to be backwards compatible with IE 4 and NS 3.0 so it's nothing like AJAX of today. Still, I've spent considerabile time updating libraries with se
    • Re: (Score:3, Interesting)

      by pembo13 (770295)
      I really hope that never happens. Too many websites are in flash as it is. Darn you for wishing for more.
    • by ladybugfi (110420)

      ActiveX is a way to extend the browser.... ActiveX gets the bum rap because it is the entry point (a generic API). The real culprits are third party programmers.

      I strongly disagree. ActiveX has a bad reputation for a reason: it has a very poor security model for its intended use.

      Securitywise, Flash isn't as good as it could be. It seems that the security features have been a gradual add-on features over the years instead of being designed as an integral part of the system from day one. And that approach has never really worked well. For example, as far as I know, you can't digitally sign SWF files.

    • I agree with zoot. I also think other programs such as firefox are just as susceptible to attack. The bad guys go after IE and activeX because they are more widely used. If the user numbers were switched for IE and FF I think you would have just as bad a time, if not worse, with FF as with IE users now.

An optimist believes we live in the best world possible; a pessimist fears this is true.

Working...